Splunk Search

get rex expression

Marwalg
New Member

my regex expression works properly but I since I'am newbie in splunk I didn't know how to get the rex expression. I would like to extract users that do not begin with PC, PRT and SRV. My regex expression is :

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 | regex _raw!="Nom\Wdu\Wcompte\W:\s*(PC|SRV|PRT)" 

Please advise?

Tags (2)
0 Karma
1 Solution

Raghav2384
Motivator

Hey @Marwaig,

How about extracting all the users and then apply a condition that username != PC* OR PRT* OR SRV?

If you want to acheive this only via rex, could you post psuedo events?

I have extracted all users from my _audit logs using rex like rex field=_raw "User:\s(?P<Username>\w+)\s "

Then i added a condition like |search Username != "PC*" OR Username !="PRT*" etc.

Hope this helps!

Thanks,
Raghav

View solution in original post

Raghav2384
Motivator

Hey @Marwaig,

How about extracting all the users and then apply a condition that username != PC* OR PRT* OR SRV?

If you want to acheive this only via rex, could you post psuedo events?

I have extracted all users from my _audit logs using rex like rex field=_raw "User:\s(?P<Username>\w+)\s "

Then i added a condition like |search Username != "PC*" OR Username !="PRT*" etc.

Hope this helps!

Thanks,
Raghav

Marwalg
New Member

Yes ! it works perfectly 😄 😄 thanks for the answer 🙂

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...